InfoSec Round-Up: January 17th

Ryuk Ransomware Gang, Cryptocurrency Fortunes & SolarWinds

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

UN Staff Records Exposed

Security researchers have disclosed a systems vulnerability in United Nations’ systems which saw over 100,000 employee records exposed.

Discovered by ethical hacking and security research group ‘Sakura Samurai’, the records relate to, amongst other projects, the United Nations Environmental Programme (UNEP) and contained extensive personally identifiable information, including names, ID numbers, gender, pay grade, records of travel and evaluation reports.

Stemming from exposed Git directories and credentials, the flaw was found as part of the United Nation's Vulnerability Disclosure Program, in which the intragovernmental organisation encourages researchers to find and disclose security flaws in the UN’s publicly accessible systems.

Though the issue was quickly addressed, the UN is a frequent target for hackers, with hundreds of gigabytes of internal UN data being exfiltrated in a 2019 attack.

Speaking to their research, a representative of Sakura Samurai explained, “When we started researching the UN, we didn't think it would escalate so quickly. Within hours, we already had sensitive data and had identified vulnerabilities. Overall, in less than 24 full hours we obtained all of this data.”

Ryuk Ransomware Cartel Amasses $150M

According to research, studying the flow of elicit Bitcoin ‘earnings’, operators of the Ryuk strain of ransomware have profited to the tunes of over $150M.

Responsible for many high-profile attacks, such as last year’s Sopra Steria hack, and that against Baltimore County school district, Ryuk was first observed in 2018 and represents a significant international information security threat.

Often not observed until a period of time after the initial infection (ranging from days to months), the operators will often gather extensive intelligence upon a target to help leverage ransom negotiations.

Based on the analysis of 61 associated Bitcoin addresses, researchers at security firm HYAS have also reported that the ransomware gang has funnelled their ill-gotten gains via two Asia-based exchanges, Huobi and Binance, which according to researchers are “structured in a way that probably wouldn’t obligate them to comply [with international finance laws]”

The researchers further noted, “With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose or ability of the victims to pay.”

Crypto Wallet Disaster

We have all been in that awkward position of having forgotten a password, but for programmer Stefan Thomas, his forgetfulness may have cost him around $240m.

Mr Thomas, a German programmer living in San Francisco was, over a decade ago, paid 7,002 bitcoins as payment for making a video explaining how cryptocurrency works. Storing his earnings in an IronKey digital wallet, Mr Thomas reportedly wrote his password down on a piece of paper.

Skip forward several years; bitcoin’s value has grown exponentially, and those 7,002 bitcoins are now currently worth around $240m. Unfortunately, Mr Thomas has forgotten his password and lost his note, and crucially, after 10 failed attempts, the wallet becomes completely inaccessible.

Having already made 8 failed attempts, Mr Thomas is almost out of options.

With some security professionals reaching out online to offer their assistance, the unfortunate programmer is not the first to have been locked out of their fortune. It is estimated around a mindboggling $140bn worth of Bitcoin is lost or left in inaccessible wallets.

A particularly visceral example of the importance of proper password security and practices, Mr Thomas told The New York Times “I would just lay in bed and think about it… Then I would go to the computer with some new strategy”, adding “I got to a point where I said to myself, ‘let it be in the past, just for your own mental health.’”

Microsoft President Condemns SolarWinds Hack

Microsoft President Brad Smith has, at the CES technology trade show, referred to the SolarWinds hack as a “mass indiscriminate global assault” that should act as a wake-up call to security professionals.

The SolarWinds network monitoring software was attacked sometime last year, being altered to provide hackers with a backdoor into the systems of its users. A compromise which was disclosed by the company in December.

The attack, which distributed roughly 18,000 packages of malware onto organisations’ networks, is believed to have originated from the Russian state and compromised accounts at the US Department of Justice as well as many other government agencies across the world.

As one of the many organisations affected, Microsoft’s Brad Smith noted in his speech, “Governments have spied on each other for centuries… but we’ve long lived in a world where there were norms and rules that created expectations about what was appropriate and what was not; and what happened with SolarWinds was not.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.